Nozomi finds vulnerabilities in SEL software applications used in engineering workstations

Research and analysis by the Nozomi Networks Labs team has led to the discovery of nine vulnerabilities affecting two main software applications developed by Schweitzer Engineering Laboratories (SEL): SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator. These applications, often installed on Windows workstations, are used by engineers or technicians to commission, configure, and monitor SEL devices. 

“The most severe of those 9 vulnerabilities would allow a threat actor to facilitate remote code execution (RCE) on an engineering workstation,” the researchers wrote in a Thursday blog post. “As both SEL software offerings include a wide range of functionalities that help asset owners and system operators efficiently supervise and manage complex infrastructures, their exploitation could allow a threat actor to alter the logic of all SEL devices controlled by either software application.” 

In the ‘high-risk’ category, the Nozomi researchers disclosed that ‍CVE-2023-31175: Execution with Unnecessary Privileges CVSS v3.1 with a base score of 8.8; CVE-2023-34392: Missing Authentication for Critical Function CVSS v3.1 with a base score of 8.2; CVE-2023-31173: Use of Hard-coded Credentials CVSS v3.1 with a base score of 7.7; and CVE-2023-31174: Cross-Site Request Forgery (CSRF), CVSS v3.1 with a base score of 7.4. 

The researchers revealed that the vulnerabilities in the ‘medium-risk’ category included ‍CVE-2023-31170: Inclusion of Functionality from Untrusted Control Sphere CVSS v3.1 with a base score of 5.9; CVE-2023-31171: Improper Neutralization of Special Elements used in an SQL Command (SQLInjection) CVSS v3.1 with a base score of 5.9; and CVE-2023-31172: Incomplete Filtering of Special Elements CVSS v3.1 with a base score of 5.9. They also listed CVE-2023-31168: Inclusion of Functionality from Untrusted Control Sphere CVSS v3.1 with a base score of 5.5 and ‍CVE-2023-31169: Improper Handling of Unicode Encoding (CWE-176), CVSS v3.1 with a base score of 4.8. 

The post added that CVE-2023-31168 to 31172 affect AcSELerator QuickSet up to version 7.1.3.0 (included). CVE-2023-31173 to 31175 and CVE-2023-34392 affect SEL Grid Configurator up to version 4.5.0.20 (included).

The Nozomi researchers detailed that one of the most severe vulnerabilities of QuickSet, CVE-2023-31171, was located in the software’s import of a device configuration from an external DMX file. An attacker could craft a package which, if imported, would lead to RCE on the engineering workstation with NETWORK SERVICE privileges. However, in systems where both QuickSet and Grid Configurator are installed, this bug could be chained with CVE-2023-31175 (an Elevation of Privilege vulnerability affecting Grid Configurator) to achieve administrative privileges on the target workstation.

They added that there are many vectors through which an attacker may attempt to exploit this vulnerability. For instance, a threat actor may send a phishing email to a victim engineer with a DMX file attached and use social engineering to convince them into restoring it; or a malicious insider could attempt to poison copies of DMX files in storage or backup servers and simply wait for them to be restored.

After compromising the engineering workstation, an attacker may use the system, its functionality and connectivity to launch a range of attacks, including exfiltration of sensitive data; surveillance or manipulation of the logic executed by target devices; and lateral movements.

“The next most severe vulnerability, CVE-2023-34392, is caused by an unauthenticated web service exposed on localhost by Grid Configurator,” the Nozomi researchers added. “Due to this issue, a specifically crafted client-side script code executed on the engineering workstation while Grid Configurator is open in the background could surreptitiously send commands to target devices. One of the ways to successfully exploit this vulnerability is via a malicious webpage. The simple act of clicking on a link, in the right conditions, could be enough to change a device configuration unbeknownst to the victim.”

However, the social engineering phase of convincing a victim into clicking on a link would be unnecessary if an attacker managed to compromise a website regularly visited by the target. For example, through a stored Cross-Site Scripting (XSS) vulnerability on the legitimate website.

“Having reached this stage, an attacker would be able to execute any of the supported commands on a target device by either establishing a new session or injecting commands in an already established session, the researchers identified. “Finally, the native functionality to clear the terminal history could allow an attacker to cover up and erase their activities, making it more difficult for a target victim to spot any suspicious activity that may have happened in the background on their systems.”

The Nozomi researchers urged asset owners to update their software installations of both the QuickSet and Grid Configurator applications to the most recent versions. The vulnerabilities were initially disclosed by SEL to customers in product instruction manual appendices A and E, dated 20230615.

In May, Nozomi published vulnerability research that identified 19 vulnerabilities affecting the web interface of the SEL Real-time Automation Controller (RTAC) platform. These issues could have allowed an attacker to obtain unauthorized access to the web interface, alter displayed information, manipulate its logic, perform Man-in-the-Middle (MitM) attacks, or execute arbitrary code. 

Nozomi Networks Labs alerted SEL about these vulnerabilities last November. SEL responded by sharing details of the vulnerabilities and providing firmware update instructions in an SEL Service Bulletin dated 11/15/22 that was disseminated to affected customers.

Last month, Nozomi researchers disclosed the presence of 14 vulnerabilities in the Phoenix Contact Web Panel 6121-WXPS HMI device (firmware version 3.1.7). The team found that the device is affected by several critical issues that could be exploited by a remote attacker to completely compromise it. The most critical vulnerabilities affect the two main network services, which are exposed by default on the WP 6121-WXPS to execute maintenance operations on the target device.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.